Among the biggest challenge facing enterprises today is lack of an ideal information assurance policy and standards for deploying new technological architectures and controls to combat threats. Enterprises of critical sectors make common mistakes in defining the organization's information assurance policy, which leaves a huge flaw in the security systems. It's time CISOs took control, evolved a governance structure through consensus with the business and established information assurance standards that are practical to enforce. Qatar guides the enterprises and CISOs through its information assurance policy in securing their assets against threats of confidentiality, integrity and availability.

Common Mistakes

I strongly believe security policy is one area to which most enterprises pay the least attention. Mostly, policies are developed by consultants or IT staff not well-versed in the business and organizational culture.

Ideally, CISOs must base the information security program on the principle that not all information assets beg a high level of assurance

Awareness among CISOs for building effective information security is imperative given that the government of Qatar worked on certain compliance standards to combat threats.

Ideal Governance Structure and Policy Parameters

What should be the ideal security governance structure within enterprises? What parameters are critical while defining the policy? Why do policies fail? How must compliance and information assurance tools be used to develop a risk-free environment?

As a first step, I'd recommend that CISOs adopt Qatar's National Information Assurance Policy targeting critical sector organizations, mapped using international standards like ISO 27001:2013 and PCI DSS v3.1.

Ideally, CISOs must base the program on the principle that not all information assets beg a high level of assurance.

They must follow the Pareto rule - 80 percent of assets need minimal controls, and 20 percent require adequate security with additional controls. Also, logic says that baseline or mandatory controls are applied across all assets. However, entities must conduct a Business Impact Analysis to identify critical processes. Then, identify information assets within these processes and classify them based on the Confidentiality, Integrity and Availability triad.

Further, I believe classification of information assets is important. No organization spends a fortune securing an asset with little or no value.

What should the ideal governance structure be to develop a framework? This does not necessarily lie within the format or syntax of the document. The most important thing is having the right governance in place, assigning an owner for the infosec program at the right executive level and with the right management support.

Define key metrics to measure its performance and assess if it's delivered the objectives;

Choose security controls that are practical, enforceable and provide the required security without compromising the business itself;

Once formulated, adequately communicating it to the audience; security policies should become part of the employee on-boarding process and regular security awareness sessions;

Security policies must be able to manage risks proactively and face audit observations;

Policies must be designed to be effective in managing outsourcing or third party risks.

While compliance is a means, the real objective is building and integrating an infosec culture within the organization's DNA. Policy management is not only about writing policies, but also executing them through effective implementation and compliance enforcement. Also, CISOs must ensure that security's discussed at the highest management level alongside other enterprise risks as part of the usual business.

I recommend appointing a head for the infosec program reporting to the organization's highest authority. The policy must be developed through consensus with the business, not in isolation.

Also, infosec operations should be delineated from the IS manager's role and responsibilities. Ideally IMO, IS operations should be part of IT, whereas the overall IS Governance must be provided by the IS manager reporting directly to the highest level - potentially the CEO or the Board.

Samir K. Pawaskar is the head of Cyber Security Policy & Standards, Ministry of Information & Communications Technology, Qatar. He has developed National Information Assurance Policy (Qatar's Information Security Policy) and the complete program around it to drive its adoption and compliance within the stakeholders. An experienced information security professional with more than nineteen years of experience having worked in diverse verticals.

About the Author

Pawaskar is an experienced information security professional with more than nineteen years of experience having worked in diverse verticals such as Telecommunications, Government, Hospitality, Engineering with some of the leading blue chip companies in the region. The last twelve years and more have been specifically in the realm of information security. He is currently the Head - Cyber Security Policy and Standards working with the Cyber Security Division at Ministry of Information & Communications Technology, Qatar. Key achievements include successful development of National Information Assurance (NIA) Policy (Qatar's Information Security Policy) and the complete program around it to drive its adoption and compliance within the stakeholders. He successfully delivered Q-PKI, Qatar's National PKI Project, and has also played a key role (as an author, reviewer, SME) in a number of policy documents published by the Cyber Security Sector, ictQATAR including a number of key legislations being drafted by ictQATAR, as well as providing inputs to the National Cyber Security Strategy. Pawaskar has also conceptualized the idea and contributed in developing the Qatar Business Continuity Guidelines through a unique PPP model.